Apples claims about iPhone privacy and security are exaggerated, according to software engineer and security expert Nicolas Seriot, who gave a presentation yesterday about the iPhone at the Black Hat Conference in DC.
Apples sandboxing technology restricts iPhone applications to operating system resources with a list of deny/allow rules at the kernel level, but these and other permissions are "way too loose," and "Apple should not claim that an application cannot access data from another application," said Seriot, who works as an iPhone programming trainer at a company called Sen:te.
Seriot noted a number of iPhone apps, including one called Aurora Feint and another called mogoRoad, that made it into Apple's App Store before being de-listed for privacy violations involving the harvesting of iPhone users' contacts, e-mails and phone numbers. Apple reviewers can be fooled, and the likelihood of this continuing to occur appears high, especially as the iPhone, now at about 34 million devices in the market, becomes an increasingly appealing target for hackers, he said.
Seriot is examining these kinds of issues for some Swiss financial institutions that want to know about iPhone security and privacy. About 8% of iPhones today are believed to be "jailbroken," meaning the user has effectively disabled controls in order to run whatever software he wants, not just what's available in the App Store, and malware aimed at them is starting to grow.
Separate from the jailbroken issue, Seriot has found in his own investigation that sensitive personal data can be picked up just building an application using the known iPhone APIs.
To illustrate why he's skeptical about iPhone privacy and security, Seriot designed what he calls his SpyPhone app (it's not available through official Apple iPhone channels, but intended to illustrate his point). With SpyPhone, it's possible to peer into e-mail addresses, the user account and server information -- though not the password, he said. Recent Safari and YouTube searches are also laid out.
If an iPhone accesses Wi-Fi, information is revealed about what Wi-Fi networks are used, as well "my phone number and the last person dialed," said Seriot, who gave a brief demo of the SpyPhone application he wrote. "What else? Location. When an iPhone app asks for the position of the user, it comes from the cache of the maps application."
Seriot said he thinks Apple should build something akin to an application firewall for the iPhone so that the user can be informed when certain actions start to occur so he can prevent them from happening, such as an app trying to edit the address book.
However, Seriot also said he wasn't in favor of changing the underlying security mechanism so that antimalware software makers might be able to scan for malware or perform other security functions. Several security vendors would like Apple to change the iPhone so their software could be used on it, but Seriot expressed skepticism that these vendors simply want another market for their wares.
CRITERION A: Presentation of the issue
Security is the social issue affected in this article as apples software and security expert Nicolas Seriot claims that the iPhone privacy and security are exaggerated. Apples technology used in the IPhone should be able to restrict iPhone applications from operating the systems resources with a set of rules but Nicolas seriot claims that these is "way too loose" and "Apple should not claim that an application cannot access data from other application". Apparently there are a number of applications that have been allowed to enter the apples store which were later de-listed due to privacy violations such as harvesting of Users contacts, e-mail, e-mail contacts and phone numbers. Examples of these applications are "Aurora feint" and "mogoRoad". This is a problem because now a days the IPhone has over 34 million devices in the market and is growing in popularity and with applications like this around the Iphone is becoming a greater appealing target to hackers now a days. This could also lead to a negative image on the iPhone as people would view it as a low security device and would stop buying the item, affecting the business of the company.
CRITERION B: IT Background of the issue
The iPhone has multiple functions such as a video camera, text messaging, visual voicemail, a portable media player, web browsing, e-mail and a 3G and Wi-Fi connectivity. The device has a multi-touch screen in which the user interface is built around. The multi-touch screen includes a virtual keyboard instead of a physical keyboard. The touchscreen of the iPhone is a 9cm liquid crystal display and is designed for use with a bare finger. The IPhone has four different generations with the first three having a resolution of 320 x 480 at 163 ppi and the fourth having a resolution of 640 x 960 at ppi. The touchscreen features are based on technology developed by a company called fingerworks. The iPhone uses an operating system called iOS, the same operating system found in the Mac computers. It also has the "Core Animation" software component from "Mac OS X v10.5 Leopard". Along with the "PowerVR" hardware the "Core Animation" software is responsible for the motion graphics in the iPhone. The operating system is less than half a gigabyte and allows a large amount of space and support for users to download applications from Apple, and from third-party developers.
CRITERION C: the impact of the issue
An advantage of using the open source software in the apple iPhone is that the owners of the phone would be able to download all sorts of different applications from other brands allowing them to update their iPhone with other brands updates and be able to gain as much entertainment and useful applications on their phones as much as they have space for it and with the security claims made by the Apple company the customers and owners of the iPhone would not have to worry about the origins of the Applications they are downloading and the risk the applications would pose to their security. But the disadvantage of using this open source software is that since "Apply's claims about iPhone privacy and security are exaggerated" says Security expert Nicolas Seriot, the iPhones are being hacked through applications downloaded by the owners this shows that owners believe to be safe and keep on downloading application while in reality they are still at risk due to false information from apple which could cause a decrease in popularity of the iPhone and affect the company financially. This could also lead to the company being sued by users on the base of false statements to help market their product made by the company; this could cause bankruptcy on the company due to the lawsuits, which could result in the company shutting down or the halt of the iPhone manufacture in any case would be a major blow to the company financially.
CRITERION D: A solution to a problem arising from the issue
The easiest way of solving this issue is to improve security of the iPhone to match the claims made by the Apple Company. First the Apple I phone should be called back from the market and returned to the production line. The company would then have to invest in creating better security for example they could upgrade their security by using a new and improved firewall or by making their list of deny/allow rules at the kernel level a lot stricter for applications. Then with this done the company would have to test their iPhone this could be done by testing the iPhone with does application that were able to breach their security like the "Aurora Feint" and the "mogoRoad". If possible it would be beneficial if the company also tested their iPhone with other potential hacking problems, and when all is done the company could rerelease the iPhone to the market. Doing all this however would require money and may be expensive. It is also time consuming and the company would have to figure out were the money would come from. Being careless in this situation could result in depth, which in turn could have negative effects instead of the desired positive effects. In order to make this solution successful the company would have to answer, where will the money come from? How long should they spend trying to fix this problem? And how to regain the trust of the customers?
CRITERION E: list of Recourses
IPhone Privacy, Security Not What Apple Claims, Researcher says: Name of the original article.
http://www.pcworld.com/article/188595/iphone_privacy_security_not_what_apple_claims_researcher_says.html (Date: 05/02 February/2010) this link was used to gain the news article
www.wikipedia.com/Iphone.html (Date: 09/00/00) to gain information about the iPhone and its components
www.bbc.com/click (Date: 12/02 February/2010) website used to gain information about the impacts of the iPhone
http://en.wikipedia.org/wiki/FingerWorks (Date:09/02 February/2010) used to find out about the hardware of the iPhone
http://www.apple.com/iphone/?cid=oas-us-domains-iphone.com (Date:06/02 February/2010) research on the iPhone
